#5887 - Session cookies should always be HttpOnly / Secure where applicable
-
By PDStig
- Added
- 6 views
| Identifier | #5887 |
|---|---|
| Issue type | Minor issue (breaks specific functionality) |
| Title | Session cookies should always be HttpOnly / Secure where applicable |
| Status | Completed |
| Tags |
Roadmap: v11 (custom) Type: Security (custom) |
| Handling member | PDStig |
| Version | 10.0.48 beta |
| Addon | core |
| Description | Composr v10 does not currently meet current web standards for cookie security. Namely, Session cookies (defined as cookies with an expiration set to Session, not necessarily the Composr session cookie) are not getting the HttpOnly / Secure treatment when they should be, even when a cookie domain is set. cms_setcookie should force HttpOnly / Secure on where applicable for session cookies to meet current web standards. global.js should do the same. |
| Steps to reproduce | |
| Related to | |
| Funded? | No |
| Commits |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
This patch forces http-only on Session cookies and also correctly applies the Secure property when applicable.
This patch will not work without the updated global*.php files for 10.0.49. See GitLab to get them.